Worm Could Wreck Exchange

Tuesday, Microsoft patched a flaw in Exchange 2000 and Exchange 2003's calendaring function. According to Microsoft's security bulletin, an attacker could exploit the vulnerability simply by sending a specially-crafted e-mail to the server.

Security experts agreed, and highlighted the danger Exchange administrators face.

"The widespread adoption of Microsoft Exchange and its built-in calendar functionality within the enterprise, combined with the unauthenticated remote access nature of the mail service, means that attackers will race to develop exploit material for this vulnerability," said Gunter Ollmann, director of Internet Security Systems' X-Force research team, in a statement.

"What's most concerning is that exploitation of this vulnerability does not require any user interaction whatsoever," added Ollmann.

Ollmann's team has confirmed that crashing Exchange is an easy chore. Worse, firewall best practices aren't an adequate defense.

"We expect to see active exploitation of this issue in the wild with the possibility of a worm," ISS said in its advisory.

Symantec seconded the motion in its own alert to DeepSight Threat Management System customers, but added that a "fuzzer" -- a tool used by both security professionals and hackers to vulnerability-stress test an application -- has already appeared, increasing the danger.

"Immunity [Security] has released an iCal fuzzer to their product partners," read the Symantec warning. "Although it is not known if this fuzzer is capable of triggering the bug addressed by this alert, there is a possibility it will in the future, or may find other unreported vulnerabilities. The fuzzer has been distributed as a module for the CANVAS exploit framework. Given the rapid development of this tool, it is likely that an exploit for this issue will be developed in the near future."

A working exploit could wreak havoc, Symantec added. Armed with one, all an attacker would have to do to compromise a large number of PCs would be to spam the worm to a list of e-mail addresses.

"Furthermore, a sophisticated worm could be created that uses different search engines to harvest addresses dynamically using randomly generated searches to avoid potential address collisions," the Cupertino, Calif.-based security giant concluded.

Symantec tagged the Exchange vulnerability as a "10" in its 1-through-10 scale to indicate the urgency with which administrators should patch their mail servers. Vulnerability tracker Secunia, meanwhile, marked the Exchange bugs as "Highly critical," its second-from-the-top ranking.